Fill in your email address to obtain the download verification code.
Enter the verification code
Please fill the fields below, & share with us the article's link and/or upload it:
upload file as pdf, doc, docx
SKeyes Center for Media and Cultural Freedom - Samir Kassir Foundation

Towards a Modern Personal Data Protection Law in Lebanon

Tuesday , 02 April 2024
Design: Marc Rechdane

The ongoing debate regarding privacy and personal data protection is intensifying, driven by potential violations on both privacy rights and personal data protection in the rapidly advancing technological landscape of the current digital age.


The distinction between the right to privacy and the right to personal data protection is crucial, although they are often intertwined. Privacy concerns an individual’s control over the accessibility and use of their information by others, while personal data protection involves implementing tools and policies to secure and safeguard such data from unauthorized access, loss, tampering, or misuse by those processing it.


Recognizing the paramount importance of upholding these rights, it has become imperative to counter their violation through the enactment of laws that strengthen their protection. Numerous countries have taken significant steps in this direction, with the European Union notably passing the General Data Protection Regulation (GDPR) on April 14, 2016, and implementing it as of May 25, 2018.


The significance of personal data protection law is underscored by the principle of “individual autonomy,” emphasizing an individual’s independence in decision-making regarding their personal life. This principle ensures that individuals retain control over their personal information and protects against arbitrary or illegal intrusions into their privacy without informed consent. Informed consent entails the right to understand why personal data is being collected, the purpose behind its collection, and the consequences of sharing this data with other parties.


Responsibility for safeguarding personal data against leaks or harm lies with those processing the data, aligning with the principle of protecting the right to privacy and private life. This protection extends beyond initial consent, granting individuals the right to object to processing and revoke their consent.


The principle of “individual autonomy” extends beyond privacy and personal data protection to encompass a range of democratic values, including freedom of opinion, expression, and assembly.


In addition to safeguarding these rights and values, personal data protection laws also counter cyber threats stemming from digital transactions and global network interconnectivity. These laws set procedures to protect against fraudulent activities, unauthorized access to personal information, and data breaches, strengthening digital infrastructure and defenses.


Furthermore, this law serves to highlight the efforts exerted by the state and its institutions to adhere to best standards in this field, fostering trust between the state and society, especially personal data subjects. Moreover, it enhances the state’s credibility in its interactions with the international community, attracting foreign investments, stimulating economic growth, and strengthening diplomatic relations. These elements pave the path for international collaboration in an interconnected world facilitated by globalization, communication networks, and the internet.


The absence of a dedicated personal data protection law in Lebanon underscores the urgent need for comprehensive legislation aligned with international standards, particularly the GDPR. By comparing the GDPR with laws in Oman, Qatar, and Tunisia, this report aims to identify effective practices and rectify shortcomings within Lebanon’s legal framework. Notable examples include Tunisia’s Law No. 63 on the Protection of Personal Data, Qatar’s Law No. 13 on the Protection of Personal Data, and Oman’s Sultani Decree No. 6/2022 on the Protection of Personal Data.

 

The Lebanese Parliament has yet to pass a law specifically dedicated to addressing the protection of personal data. Instead, such protection is regulated within Law No. 81, “Electronic Transactions and Personal Data Protection,” enacted on October 10, 2018. However, the provisions pertaining to this protection are outdated and prove ineffective in ensuring the safeguarding of private data at present. Moreover, they fall short of fully considering this law’s core principle of “individual autonomy” since the current legislation does not explicitly mandate obtaining data subjects’ consent for the processing of their data. Therefore, there is an urgent need for the enactment of a comprehensive law solely focused on protecting personal data, one that safeguards data from any breaches, in accordance with this principle and international best standards in this field.


This report, prepared by SEEDS for Legal Initiatives with the support of the United Nations Democracy Fund, aims to establish a comprehensive index of the Personal Data Protection Law in Lebanon, drawing heavily from the General Data Protection Regulation (GDPR) issued by the European Union. Effective since May 25, 2018, this regulation stands out as one of the most important legislations safeguarding personal data, given its extensive scope, procedures, and mechanisms imposed on data processors, in addition to its focus on the rights of data subjects. The regulation also emphasizes the importance of privacy, accountability, and transparency and imposes severe sanctions on violators. Furthermore, it has contributed, both within and beyond the EU, to disseminating the culture of personal data protection within institutions and raising awareness among individuals about their rights in this domain.

The GDPR set forth by the European Union was compared with the laws of Lebanon, the Sultanate of Oman, Qatar, and Tunisia. The aim is to discern the diverse approaches taken by these countries in protecting personal data, adopting the most effective practices in this field, and rectifying the loopholes and shortcomings within the Lebanese legal system. The Tunisian law No. 63 on the Protection of Personal Data, issued on July 27, 2004, was selected because the rights to privacy and the protection of personal data are enshrined in the Tunisian Constitution. Qatar was chosen for its pioneering role as the first Gulf Cooperation Council member state to adopt dedicated legislation for personal data protection, as embodied in Law No. 13 on the Protection of Personal Data, issued on November 3, 2016. Additionally, the Sultanate of Oman's Sultani Decree No. 6/2022 on the Protection of Personal Data, issued on February 9, 2022, was selected because it is relatively recent compared to other legislations in the region.


Based on the study of aforementioned laws and their comparison with the GDPR issued by the EU, we have strived to set the best standards that Lebanon’s personal data protection law must align with, should there be a political will to enact such a law. This report comprises two main sections:

  • Section one – Comparing EU General Data Protection Regulation with data protection laws in Lebanon, the Sultanate of Oman, Qatar, and Tunisia.
  • Section two – Suggesting a comprehensive index for the provisions relating to personal data protection law in Lebanon.

This report was developed with the support of:

Share News